[ossec-list] Agent.conf not being copied to clients

treydock Tue, 07 Jun 2011 08:39:41 -0700

I've combed through the other posts on agent.conf, and have done all
the troubleshooting I could find on why this isn't working.  The
agent.conf file is not being copied to the clients.  I'm running OSSEC
2.5.1 on all clients and server.


Last night ( about 11 hours ago) I added an agent.conf to my central
server, restarted the server's management processes , and also
restarted the client process on two clients.  One client I removed all
but the following..

<ossec_config>
  <client>
    <server-ip>128.194.198.99</server-ip>
  </client>
</ossec_config>

One the other client I left the ossec.conf as is.  Running checks on
the server's agent.conf, here's the permissions...


ls -la etc/shared/
total 180
drwxrwx--- 2 root ossec  4096 Jun  6 22:37 .
dr-xr-x--- 3 root ossec  4096 May 27 09:03 ..
-r--r----- 1 root ossec  3060 Jun  6 22:37 agent.conf
-r--r--r-- 1 root ossec   189 Jun  6 23:09 ar.conf
-r--r----- 1 root ossec  9425 Oct 12  2010 cis_debian_linux_rcl.txt
-r--r----- 1 root ossec  8123 Oct 12  2010 cis_rhel5_linux_rcl.txt
-r--r----- 1 root ossec 14181 Oct 12  2010 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 root ossec 73428 May  7 23:38 merged.mg
-r--r----- 1 root ossec 14811 Oct 12  2010 rootkit_files.txt
-r--r----- 1 root ossec  5229 Oct 12  2010 rootkit_trojans.txt
-r--r----- 1 root ossec  7929 Oct 12  2010 system_audit_rcl.txt
-r--r----- 1 root ossec  4614 Oct 12  2010 win_applications_rcl.txt
-r--r----- 1 root ossec  3798 Oct 12  2010 win_audit_rcl.txt
-r--r----- 1 root ossec  4866 Oct 12  2010 win_malware_rcl.txt


I have already ran "verify-agent-conf" with no output sent back


$ bin/verify-agent-conf
$

Here's sample output from when I restart the central server


2011/06/07 10:19:51 ossec-monitord(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-logcollector(1225): INFO: SIGNAL Received.
Exit Cleaning...
2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-analysisd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-maild(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-execd(1314): INFO: Shutdown received.
Deleting responses.
2011/06/07 10:19:51 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-testrule: INFO: Reading local decoder file.
2011/06/07 10:19:52 ossec-csyslogd: INFO: Started (pid: 16064).
2011/06/07 10:19:52 ossec-csyslogd: INFO: Forwarding alerts via syslog
to: '0.0.0.0:10002'.
2011/06/07 10:19:52 ossec-maild: INFO: Started (pid: 16068).
2011/06/07 10:19:52 ossec-execd: INFO: Started (pid: 16072).
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading local decoder file.
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'pure-
ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'cisco-
ios_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms-
exchange_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'trend-
osce_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms-
se_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Total rules enabled: '1121'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
mnttab'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
hosts.deny'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mail/
statistics'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/random-
seed'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
adjtime'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/
logs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/cups/
certs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
dumpdates'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/svc/
volatile'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
System32/LogFiles'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Debug'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
WindowsUpdate.log'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
iis6.log'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/wbem/Logs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/wbem/Repository'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Prefetch'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
PCHEALTH/HELPCTR/DataColl'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
SoftwareDistribution'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Temp'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/config'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/spool'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/CatRoot'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP:
'127.0.0.1'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: 7 IPs in the white list for
active response.
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing Hostname:
'localhost.localdomain'
2011/06/07 10:19:52 ossec-analysisd: INFO: 1 Hostname(s) in the white
list for active response.
2011/06/07 10:19:52 ossec-analysisd: INFO: Started (pid: 16078).
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16086).
2011/06/07 10:19:52 ossec-remoted: Remote syslog allowed from:
'0.0.0.0'
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16087).
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16088).
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted(4111): INFO: Maximum number of
agents allowed: '256'.
2011/06/07 10:19:52 ossec-remoted(1410): INFO: Reading authentication
keys file.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client1: '29:7341'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client2: '43:5553'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client3: '98:8938'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning sender counter:
4:5509
2011/06/07 10:19:52 ossec-monitord: INFO: Started (pid: 16098).
2011/06/07 10:19:55 ossec-analysisd: INFO: Connected to '/queue/alerts/
ar' (active-response queue)
2011/06/07 10:19:55 ossec-analysisd: INFO: Connected to '/queue/alerts/
execq' (exec queue)
2011/06/07 10:19:56 ossec-syscheckd: INFO: Started (pid: 16094).
2011/06/07 10:19:56 ossec-rootcheck: INFO: Started (pid: 16094).
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
etc'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/
bin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/
sbin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
bin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
sbin'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/messages'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/secure'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/maillog'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/httpd/error_log'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/httpd/access_log'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/ossec/logs/active-responses.log'.
2011/06/07 10:19:58 ossec-logcollector: INFO: Started (pid: 16082).


Here are the permissions on one of the client's "etc/shared" directory


# ls -la etc/shared/
total 176
drwxrwx--- 2 root  ossec  4096 Mar 15 16:05 .
dr-xr-x--- 3 root  ossec  4096 Jun  6 22:24 ..
-rw-r--r-- 1 ossec ossec   189 May  7 18:44 ar.conf
-rwxrwx--- 1 root  ossec  9425 May  7 18:44 cis_debian_linux_rcl.txt
-rwxrwx--- 1 root  ossec  8123 May  7 18:44 cis_rhel5_linux_rcl.txt
-rwxrwx--- 1 root  ossec 14181 May  7 18:44 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossec ossec 73428 May  7 18:44 merged.mg
-rwxrwx--- 1 root  ossec 14811 May  7 18:44 rootkit_files.txt
-rwxrwx--- 1 root  ossec  5229 May  7 18:44 rootkit_trojans.txt
-rwxrwx--- 1 root  ossec  7929 May  7 18:44 system_audit_rcl.txt
-rwxrwx--- 1 root  ossec  4614 May  7 18:44 win_applications_rcl.txt
-rwxrwx--- 1 root  ossec  3798 May  7 18:44 win_audit_rcl.txt
-rwxrwx--- 1 root  ossec  4866 May  7 18:44 win_malware_rcl.txt


Here's the server's output info about one of the agents...note the
missing md5sum mentioned in the documentation...

$ bin/agent_control -i 003

OSSEC HIDS agent_control. Agent information:
   Agent ID:   003
   Agent Name: client1
   IP address: 0.0.0.0
   Status:     Active

   Operating system:    Linux client1 2.6.18-194.32.1.el5 #1 SMP W..
   Client version:      OSSEC HIDS v2.5.1
   Last keep alive:     Tue Jun  7 10:21:36 2011

   Syscheck last started  at: Mon Jun  6 22:24:10 2011
   Rootcheck last started at: Mon Jun  6 17:19:43 2011


Any suggestions??

Thanks!
- Trey

[ossec-list] Agent.conf not being copied to clients

Reply via email to